Merge "Fix a bug in patrole documentation."
diff --git a/doc/source/index.rst b/doc/source/index.rst
index 308c12c..be3264e 100644
--- a/doc/source/index.rst
+++ b/doc/source/index.rst
@@ -14,6 +14,7 @@
installation
configuration
usage
+ testing
sampleconf
Developer's Guide
diff --git a/doc/source/testing.rst b/doc/source/testing.rst
new file mode 100644
index 0000000..d61c78d
--- /dev/null
+++ b/doc/source/testing.rst
@@ -0,0 +1,51 @@
+.. _patrole-testing:
+
+===============
+Patrole Testing
+===============
+
+Testing Scope
+=============
+
+Patrole testing scope is strictly confined to Role-Based Access Control
+(RBAC). In OpenStack, ``oslo.policy`` is the RBAC library used by all
+major services. Thus, Patrole is concerned with validating that public API
+endpoints are correctly using ``oslo.policy`` for authorization.
+
+In other words, all tests in Patrole are RBAC tests.
+
+Stable Tests
+============
+
+In the discussion below, "correct" means that a test is consistent with
+a service's API-to-policy mapping and "stable" means that a test should
+require minimal maintenance for the supported releases.
+
+Present
+-------
+
+During the Queens release, a `governance spec`_ was pushed to support policy
+in code, which documents the mapping between APIs and each of their policies.
+
+This documentation is an important prerequisite for ensuring that Patrole
+tests for a given service are correct. This mapping can be referenced to
+confirm that Patrole's assumed mapping for a test is correct. For
+example, Nova has implemented policy in code which can be used to verify
+that Patrole's Nova RBAC tests use the same mapping.
+
+If a given service does not have policy in code, this implies that it is
+*more likely* that the RBAC tests for that service are inconsistent with the
+*intended* policy mapping. Until that service implements policy in code, it
+is difficult for Patrole maintainers to verify that tests for that service
+are correct.
+
+Future
+------
+
+Once all services that Patrole tests have implemented policy in code --
+and once Patrole has updated all its tests in accordance with the policy in
+code documentation -- then Patrole tests can guaranteed to be stable.
+
+This stability will be denoted with a 1.0 version release.
+
+.. _governance spec: https://governance.openstack.org/tc/goals/queens/policy-in-code.html
diff --git a/patrole_tempest_plugin/tests/api/network/test_networks_multiprovider_rbac.py b/patrole_tempest_plugin/tests/api/network/test_network_segments_rbac.py
similarity index 76%
rename from patrole_tempest_plugin/tests/api/network/test_networks_multiprovider_rbac.py
rename to patrole_tempest_plugin/tests/api/network/test_network_segments_rbac.py
index 9c65c14..1dee46b 100644
--- a/patrole_tempest_plugin/tests/api/network/test_networks_multiprovider_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_network_segments_rbac.py
@@ -14,6 +14,7 @@
# under the License.
from oslo_log import log
+
from tempest.common import utils
from tempest.lib.common.utils import data_utils
from tempest.lib.common.utils import test_utils
@@ -26,18 +27,34 @@
LOG = log.getLogger(__name__)
-class NetworksMultiProviderRbacTest(base.BaseNetworkRbacTest):
+class NetworkSegmentsRbacTest(base.BaseNetworkRbacTest):
@classmethod
def skip_checks(cls):
- super(NetworksMultiProviderRbacTest, cls).skip_checks()
+ super(NetworkSegmentsRbacTest, cls).skip_checks()
if not utils.is_extension_enabled('multi-provider', 'network'):
msg = "multi-provider extension not enabled."
raise cls.skipException(msg)
+ @classmethod
+ def resource_setup(cls):
+ super(NetworkSegmentsRbacTest, cls).resource_setup()
+ # Find the network type that is supported by the current cloud by
+ # checking which network type other networks currently have. This is
+ # done because there is no tempest.conf option enumerating supported
+ # network types.
+ networks = cls.networks_client.list_networks()['networks']
+ network_types = [n['provider:network_type'] for n in networks
+ if n['provider:network_type'] != 'flat']
+ if not network_types:
+ raise cls.skipException(
+ 'Could not find network with provider:network_type that is '
+ 'not "flat".')
+ cls.network_type = network_types[0]
+
def _create_network_segments(self):
- segments = [{"provider:network_type": "gre"},
- {"provider:network_type": "gre"}]
+ segments = [{'provider:network_type': self.network_type},
+ {'provider:network_type': self.network_type}]
body = self.networks_client.create_network(
name=data_utils.rand_name(self.__class__.__name__),
@@ -68,7 +85,7 @@
RBAC test for the neutron update_network:segments policy
"""
network = self._create_network_segments()
- new_segments = [{"provider:network_type": "gre"}]
+ new_segments = [{'provider:network_type': self.network_type}]
with self.rbac_utils.override_role(self):
self.networks_client.update_network(network['id'],
@@ -92,7 +109,7 @@
# If user does not have access to the network segments attribute,
# no NotFound or Forbidden exception are thrown. Instead,
# the response will have an empty network body only.
- if len(response_network) == 0:
+ if not response_network:
LOG.info("NotFound or Forbidden exception are not thrown when "
"role doesn't have access to the endpoint. Instead, "
"the response will have an empty network body.")
diff --git a/requirements.txt b/requirements.txt
index 35c6038..cc13aa9 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,7 +3,7 @@
# process, which may cause wedges in the gate later.
pbr!=2.1.0,>=2.0.0 # Apache-2.0
oslo.log>=3.36.0 # Apache-2.0
-oslo.config>=5.1.0 # Apache-2.0
+oslo.config>=5.2.0 # Apache-2.0
oslo.policy>=1.30.0 # Apache-2.0
tempest>=17.1.0 # Apache-2.0
stevedore>=1.20.0 # Apache-2.0
diff --git a/test-requirements.txt b/test-requirements.txt
index add2388..475d1e5 100644
--- a/test-requirements.txt
+++ b/test-requirements.txt
@@ -3,7 +3,7 @@
# process, which may cause wedges in the gate later.
hacking>=1.0.0 # Apache-2.0
-sphinx!=1.6.6,>=1.6.2 # BSD
+sphinx!=1.6.6,!=1.6.7,>=1.6.2 # BSD
openstackdocstheme>=1.18.1 # Apache-2.0
reno>=2.5.0 # Apache-2.0
fixtures>=3.0.0 # Apache-2.0/BSD